Windows 8 stores passwords in the cloud

Microsoft has announced that it will include a password manager in Windows 8 to make it easier to use secure, but convenient, passwords. When a user logs onto a system using Windows Live, access data will be synchronised between computers.

The credentials manager will collect access credentials for applications on first use and then use them automatically the next time the password is requested, just like a browser. The first application to use the new digital safe will be Internet Explorer 10, but Metro apps will also be able to store passwords using a special API.

Microsoft hopes that this will reduce password reuse, with all the problems that entails. For reasons of convenience, many users use the same password for multiple web sites. If one of these sites gets hacked, the hacker is then able to access other web services. With Windows 8, users will only have to remember their Windows Live credentials. If a user forgets these, they can have them sent to them online from another computer.

If the Windows Live password falls into the wrong hands and is then changed, the user will still be able to log onto their computer. Windows 8 will accept the last password successfully used to log onto the system. To enable the legitimate user to regain access to their account, they can request a confirmation code be sent to a mobile phone number or email address registered with Windows Live. If the user did not enter these details when they registered with Windows Live, they will be required to do so the first time they use Windows 8.

The credentials manager can also be used by users who do not have a Windows Live ID, simply by logging in using the conventional username and password. They will not, however, be able to use the synchronisation feature. Windows 8 will also allow users to login using biometric devices (such as fingerprint scanners) or images. The latter involves drawing gestures on an image and is particularly aimed at tablets.

Windows 8 will also be able to store private keys, used predominantly for authentication in enterprise environments, using the new key storage provider (KSP) in a computer's trusted platform module (TPM chip). Keys stored in the TPM can be loaded as "virtual smart cards", which should be supported by any application that uses smart cards.